Lucene search
K

361 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-10865

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...

5.3CVSS0.0037EPSS
Exploits0References10
EUVD
EUVD
added 3 days ago10 views

EUVD-2026-43152

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...

5.3CVSS6.1AI score0.0037EPSS
Exploits0References10
CVE
CVE
added 3 days ago16 views

CVE-2026-10865

CVE-2026-10865 affects the Cost Calculator Builder plugin for WordPress. The vulnerability exists in all versions up to 4.0.11 and arises from exposure in the template body, allowing unauthenticated attackers to read plaintext payment gateway secrets (Stripe secret key, Razorpay secret key, and P...

5.3CVSS6.1AI score0.0037EPSS
Exploits0References10
NVD
NVD
added 4 days ago22 views

CVE-2026-57219

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauthclientsecret, exposing credentials to unauthenticated callers when the...

8.7CVSS0.0033EPSS
Exploits0References6
CVE
CVE
added 4 days ago55 views

CVE-2026-57219

RabbitMQ suffers an unauthenticated disclosure vulnerability in the management API: the obsolete GET /api/auth endpoint can reveal the OAuth 2 client secret on installations configured with management.oauth_client_secret prior to versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. The issue arises when ...

8.7CVSS6.1AI score0.0033EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 4 days ago19 views

PT-2026-57304

Name of the Vulnerable Software and Affected Versions RabbitMQ versions prior to 3.13.15 RabbitMQ versions prior to 4.0.20 RabbitMQ versions prior to 4.1.11 RabbitMQ versions prior to 4.2.6 Description The management plugin exposes an obsolete GET '/api/auth' endpoint that can disclose the OAuth ...

8.7CVSS6.1AI score0.0033EPSS
Exploits0References12
RedHat Linux
RedHat Linux
added 6 days ago7 views

github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API

A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...

7.5CVSS5.9AI score0.00326EPSS
Exploits0References9
NVD
NVD
added last week6 views

CVE-2026-46700

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS0.00342EPSS
Exploits0References4
OSV
OSV
added 2026/07/02 7:21 p.m.2 views

GHSA-4Q9J-6299-GXMR Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth

Summary The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the clientsecret field. Any network-reachable attacker can read the OAuth client secrets configured f...

6.3CVSS6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55450

Name of the Vulnerable Software and Affected Versions dragonfly versions prior to 2.4.4 Description The Dragonfly Manager fails to enforce authentication on specific API endpoints, allowing unauthenticated network-reachable attackers to retrieve sensitive OAuth client secrets. The issue occurs...

6.3CVSS6AI score
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/07/01 7:33 p.m.6 views

github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API

A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...

7.5CVSS5.8AI score0.00326EPSS
Exploits0References9
RedHat Linux
RedHat Linux
added 2026/07/01 6:46 p.m.8 views

github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API

A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...

7.5CVSS5.8AI score0.00326EPSS
Exploits0References9
OSV
OSV
added 2026/06/25 10:34 p.m.3 views

GO-2026-5710 Prometheus Azure AD remote write OAuth client secret exposed via config API in github.com/prometheus/prometheus

Prometheus Azure AD remote write OAuth client secret exposed via config API in github.com/prometheus/prometheus...

7.5CVSS5.9AI score0.00326EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/06/25 6:47 p.m.7 views

keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token

A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...

6.5CVSS5.9AI score0.00267EPSS
Exploits0References4
NVD
NVD
added 2026/06/25 5:17 p.m.9 views

CVE-2026-9705

A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...

6.5CVSS0.00267EPSS
Exploits0References6
CVE
CVE
added 2026/06/25 4:17 p.m.15 views

CVE-2026-9705

Affected software & component: Keycloak – client registration service. Vulnerability: An attacker with a previously issued Registration Access Token (RAT) can re-enable a client that an administrator had disabled. This bypasses security controls and allows the attacker to reset the client’s secre...

6.5CVSS5.9AI score0.00267EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/06/25 4:17 p.m.39 views

CVE-2026-9705 Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token

A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...

6.5CVSS0.00267EPSS
Exploits0References6
NVD
NVD
added 2026/06/12 8:16 p.m.16 views

CVE-2026-42604

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:42 p.m.31 views

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:42 p.m.9 views

EUVD-2026-36543

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
Rows per page
Query Builder